https://minerva.sandelman.ca/Minerva2018-11-14T22:12:21-05:00Minerva is a reference implementation of the ANIMA BRSKI MASA, Join Registrar and Autonomic Control Plane (RPL and IPsec).Michael Richardsonmcr@sandelman.cahttp://www.sandelman.ca/mcr/Jekyllhttps://minerva.sandelman.ca/containers/2018/11/14/minerva-lxd-update.htmlMinerva Highway MASA and Fountain JRC in LXD containers: v22018-11-14T00:00:00-05:00phlowANIMA in a virtual box<p>This is another update to <a href="/containers/2018/10/20/minerva-in-lxd-form">Minerva in LXD form</a>.</p>
<p>The 3rd highway image is at:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget https://minerva.sandelman.ca/qcow/0e745ddb6a22fa7e9a783215a8d9dcb81386972a6e7e54ee97b721cda79b070b.tar.gz
lxc image import \
0e745ddb6a22fa7e9a783215a8d9dcb81386972a6e7e54ee97b721cda79b070b.tar.gz \
--alias highway
</code></pre></div></div>
<p>This version adds a “rake highway:signcsr CSR=file.csr CERT=output.pem”,
which will process a Certificate Signing Request, and produce an IDevID
based upon the provided public key, and the requested serialNumber.</p>
<p>A pre-existing instance of highway can be upgraded by running:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>lxc highway -- su - highway
highway@highway0:~$ curl https://minerva.sandelman.ca/qcow/highway-20181115025559.tgz | tar -C / --unlink -x -z -v -f -
..
</code></pre></div></div>
<p>Verify that the current link was updated:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>highway@highway0:~$ ls -l current
lrwxrwxrwx 1 highway highway 37 Nov 14 21:33 current -&gt; /home/highway/releases/20181115025559
</code></pre></div></div>
<p>Then run any migrations that there might be:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>highway@highway0:~$ cd current
highway@highway0:~/current$ rake db:migrate
== 20181113230344 AddCertificateToDevice: migrating ===========================
-- add_column(:devices, :idevid_cert, :text)
-&gt; 0.0050s
== 20181113230344 AddCertificateToDevice: migrated (0.0060s) ==================
</code></pre></div></div>
<p>For details on configuring the MASA, see <a href="/highway/configuration">Highway Configuration</a></p>
<p>For details on configuring the JRC, see <a href="/fountain/configuration">Fountain Configuration</a></p>
2018-11-14T00:00:00-05:00https://minerva.sandelman.ca/containers/2018/11/05/minerva-lxd-update.htmlMinerva Highway MASA and Fountain JRC in LXD containers: v22018-11-05T00:00:00-05:00phlowANIMA in a virtual box<p>This is an update to <a href="/containers/2018/10/20/minerva-in-lxd-form">Minerva in LXD form</a>.</p>
<p>The new images are at:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget https://minerva.sandelman.ca/qcow/7df6fccf01a3d357911238ab421a2db80ca9839de4e43ac145a15e4683a8cf13.tar.gz
lxc image import 7df6fccf01a3d357911238ab421a2db80ca9839de4e43ac145a15e4683a8cf13.tar.gz
--alias fountain
wget https://minerva.sandelman.ca/qcow/cacf07b8d06bcae406c3d802710b41c5849de7c032790516c511576cde9d9799.tar.gz
lxc image import cacf07b8d06bcae406c3d802710b41c5849de7c032790516c511576cde9d9799.tar.gz\
--alias highway
</code></pre></div></div>
<p>For details on configuring the MASA, see <a href="/highway/configuration">Highway Configuration</a></p>
<p>For details on configuring the JRC, see <a href="/fountain/configuration">Fountain Configuration</a></p>
2018-11-05T00:00:00-05:00https://minerva.sandelman.ca/containers/2018/10/20/minerva-in-lxd-form.htmlMinerva Highway MASA and Fountain JRC in LXD containers2018-10-20T00:00:00-04:00phlowANIMA in a virtual box<p>Start with your Generic Ubuntu machine. This demo uses an Amazon EC2
instance running 18.04 (Bionic). Typically, this will be used with on
laptop or desktop development system where embedded system based pledges
will be connected.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ubuntu@ip-172-30-0-190:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]: dir
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: auto
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
</code></pre></div></div>
<p>The images are stored at:
https://minerva.sandelman.ca/qcow/</p>
<p>Unfortunately, lxc image improt does not seem want to want to import in a
single step from https resources. so it is necessary to download with wget
first:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget https://minerva.sandelman.ca/qcow/509228349075d52dfd67a6b828b6a5d513e6752fa27cc1f28b87a13898899b31.tar.gz
lxc image import 509228349075d52dfd67a6b828b6a5d513e6752fa27cc1f28b87a13898899b31.tar.gz \
--alias highway
wget https://minerva.sandelman.ca/qcow/2889fadee648fc9cb940bfc49b6de634ff6a09a5860717575518b81061232851.tar.gz
lxc image import 2889fadee648fc9cb940bfc49b6de634ff6a09a5860717575518b81061232851.tar.gz \
--alias fountain
ubuntu@ip-172-30-0-190:~$ lxc image list
+----------+--------------+--------+------------------------------------+--------+----------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+----------+--------------+--------+------------------------------------+--------+----------+------------------------------+
| fountain | 509228349075 | no | Ubuntu 18.04 LTS server (20181003) | x86_64 | 648.93MB | Oct 22, 2018 at 2:54am (UTC) |
+----------+--------------+--------+------------------------------------+--------+----------+------------------------------+
ubuntu@ip-172-30-0-190:~$ lxc launch fountain fountain0
Creating the container
ubuntu@ip-172-30-0-190:~$ lxc profile copy default lanprofile
ubuntu@ip-172-30-0-190:~$ lxc profile device set lanprofile eth0 nictype macvlan
ubuntu@ip-172-30-0-190:~$ lxc profile device set lanprofile eth0 parent eth0
ubuntu@ip-172-30-0-190:~$ lxc launch -p lanprofile fountain fountain0
ubuntu@ip-172-30-0-190:~$ lxc launch -p lanprofile highway highway0
</code></pre></div></div>
<p>At this point you will have two LXD containers one called fountain0, and one
called highway0. Start with the highway0 container.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>lxc exec highway0 -- /bin/bash
root@florean:~#
</code></pre></div></div>
<p>The instance is called florean after “florean.sandelman.ca”. You should
adjust the hostname and the network settings by editing the files:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@florean:~# vi /etc/hostname /etc/network/interfaces /etc/resolv.conf
</code></pre></div></div>
<p>Edit to suit, restart container or use ifdown/ifup to change settings.
The MASA will need a name that will be put into certificates that is
reachable from without your test network. This can be hacked on the
Registrar using /etc/hosts, but better is to get your IT department to
allocate a name and put it into (internal) DNS.</p>
<p>Once you have a network configuration that you like and which is accessible
on your network by name to your registrar instances, you may wish to enable
ssh within the container. This is not required, you can always enter the
container using bash (as root), or to go directly to the MASA (highway) user:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>% lxc exec highway -- su - highway
highway@florean:/root$
</code></pre></div></div>
<p>To start ssh, you need to first install your ssh keys:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>% lxc exec highway -- su - highway
highway@florean:/root$ vi ~/.ssh/authorized_keys
</code></pre></div></div>
<p>You may remove the ssh keys from mcr@ if you do not need/want remote support.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>% lxc exec highway -- /bin/bash
root@florean:~# service ssh start
</code></pre></div></div>
<p>The rest of this guide assumes you have logged as the highway user either
via lxc exec, or via ssh.</p>
<p>The above instructions applies equally to the fountain container.</p>
<p>For details on configuring the MASA, see <a href="/highway/configuration">Highway Configuration</a></p>
2018-10-20T00:00:00-04:00https://minerva.sandelman.ca/hermes/2018/09/13/hermes-markII-prototype.htmlHermes connect prototype Mark II2018-09-13T00:00:00-04:00phlowANIMA in a blue box<p>As part of developing a reference design of the ANIMA protocols, and
validating the design, a platform was developed to run ANIMA.</p>
<p>The mark I case contains an Orange PI Zero, plus two additional ethernet
interfaces connected via USB. With three network interfaces interesting
ACP topologies can be built and tested:</p>
<p><img src="/images/markI.jpg" alt="Hermes mark I prototype" /></p>
<p>The mark II case adds a serial port to the design making it capable of
doing Out-Of-Band management of router devices. This is still a prototype,
the plan is to spin a board and produce a slightly smaller case:</p>
<p><img src="/images/bluecase-cisco-cable-labelled.png" alt="Hermes mark II prototype" /></p>
<p>A target design would be smaller, and would reduce heat dissipation.
An additional goal is to include one or more TTL outputs that could be
interfaced to something like the <a href="https://www.sparkfun.com/products/retired/10747">power-switch Tail</a></p>
<p>The devices are currently powered by USB, and do not require as much power
as typical RPI designs. They are easily powered from available USB ports,
but if a management goal is to be able to power cycle systems, then causing
the management system to go off as well would be bad.</p>
<p>A stretch goal is therefore to be able to draw power from industry standard
PoE, while also passing PoE power <em>downstream</em> to the next Hermes device
in the daisy chain. That goal is ambitious.</p>
2018-09-13T00:00:00-04:00https://minerva.sandelman.ca/reach/2017/11/08/reach-fixed-to-include-anchor.htmlReach changed to include MASA anchor2017-11-08T00:00:00-05:00phlowProf. Mcgonagall can turn into a cat!<p>The reach pledge simulator now accepts a new argument PRODUCTID.</p>
<p>This should point to a directory in which the device.crt (IDevID),
the key.pem (private key). In addition, it should include the vendor’s root
CA key (filename “vendor.crt”) in order to validate the voucher.</p>
<p>The highway MASA product creator now includes all the right components
into the zip file provided, so there is much less chance of operator
error when running a test case. It’s as easy as:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget https://honeydukes.sandelman.ca/product_00-D0-E5-02-00-0A.zip
unzip product_00-D0-E5-02-00-0A.zip
rake reach:send_voucher_request PRODUCTID=00-D0-E5-02-00-0A JRC=https://fountain-test.sandelman.ca/
</code></pre></div></div>
<p>See <a href="/jokeshop">jokeshop</a> description for an updated set of instructions.</p>
2017-11-08T00:00:00-05:00https://minerva.sandelman.ca/ducks/2017/10/26/ducks.htmlWhat's with the ducks?2017-10-26T00:00:00-04:00phlowH No, no, 'e's uh,...he's resting!<p>You might wonder what the ducks are doing in the manufacturer, and
why a duck and ducklings are wandering up to the customs agent in the
Registrar Image.</p>
<p>It was suggested in the early days of ANIMA by Michael Richardson that the
imprinting process was rather like the
<a href="https://en.wikipedia.org/wiki/Imprinting_(psychology)">Imprinting process</a>
process first described by biologist Konrad Lorenz. In the story told in
many high school biology classes, ducklings would imprint on whatever looked
like a mother at a critical period in their development.</p>
<p>It turns out that more famous people (Stajano and Anderson) had previous
suggested exactly that in their 1999 paper, <a href="https://www.cl.cam.ac.uk/~fms27/papers/1999-StajanoAnd-duckling.pdf">Resurrecting Duckling: security for ad-hoc wireless networks</a>.</p>
<p>Thus ducklings.</p>
2017-10-26T00:00:00-04:00https://minerva.sandelman.ca/metasite/2017/10/25/jokeshop-setup.htmlWeasley Joke shop setup2017-10-25T00:00:00-04:00phlowU-No-Poo would hate the security<p>Two instances of the Highway MASA have been setup. They are named
after two shops from the wizarding world of Harry Potter. See
<a href="/jokeshop">Jokeshop</a> for an explanation of them.</p>
<p>Expect some changes as the created MASA signing keys are both names
localhost, when they should really be named after the Jokeshop.</p>
2017-10-25T00:00:00-04:00https://minerva.sandelman.ca/metasite/2017/10/17/why-the-name-minerva.htmlWhy is this project called Minerva?2017-10-17T00:00:00-04:00phlowProf. Mcgonagall can turn into a cat!<p>The IETF ANIMA working group is named as:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>"Autonomic Networking Integrated Model and Approach"
</code></pre></div></div>
<p>ANIMA has a goal:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Autonomic networking refers to the self-managing characteristics
(configuration, protection, healing, and optimization) of distributed
network elements, adapting to unpredictable changes while hiding
intrinsic complexity from operators and users.
[see the Charter](https://datatracker.ietf.org/wg/anima/about/)
</code></pre></div></div>
<p>Meanwhile, an Animagus is:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>An Animagus (pl. Animagi) is a witch or wizard who can morph him or
herself into an animal at will. [wiki entry](http://harrypotter.wikia.com/wiki/Animagus)
</code></pre></div></div>
<p>While looking for a name that was related to “ANIMA”, the word “Animagus”
came up. It was thought, maybe one could call the project after some famour
Animagus! Maybe “Sirius Black” or “padfoot” (his name as a dog) would be a
good name. But, the most well known Animagus is Professor Minerva
Mcgonagall.</p>
<p>The name Minerva looked interested, and upon investigation, the name seemed
associated with a lot of actual IoT-like things. See the <a href="/info">info</a> entry
for more links.</p>
2017-10-17T00:00:00-04:00https://minerva.sandelman.ca/metasite/2017/10/16/switched-to-feeling-responsive.htmlJekyll Theme changed2017-10-16T00:00:00-04:00phlowbetter to bend than fight<p>After trying to build the site with a stock time-machine jekyll theme (which
is installed via Gem, plus minor overrides), I gave up and switched to
feeling-responsive.</p>
<p>Feeling-responsive is not installed via Gemfile, rather one either downloads
a zip file and starts from that, or does a git merge of the bare-bones
version. I did the later, but perhaps will start again from a zip file,
because I don’t really want my history polluted with the feeling-responsive
code.</p>
<p>On the other hand, I fixed/upgraded one thing in the base code so that I
could put an icon the header, and upstreaming that, while also having my code
based upon it is a bit annoying.</p>
2017-10-16T00:00:00-04:00